Integration-Architect Salesforce Certified Integration Architect (SP23) Question and Answers

Timing aspects, real-time/near real-time (synchronous or asynchronous), batch and update frequency are relevant details that an integration architect should seek to specifically solve for integration architecture needs of the program. These details help to determine the appropriate integration pattern, technology, and solution for the business requirements. Core functional and non-functional requirements for User Experience design, Encryption needs, Community and license choices are important for the overall program design, but not specific to the integration architecture needs. Integration skills, SME availability, and Program Governance details are also important for the program execution, but not specific to the integration architecture needs.

 Integrating Salesforce with Data Warehouse, Order Management and Email Management System is the best option considering Salesforce capabilities. Salesforce can be used as the primary case management system, replacing the existing one. Salesforce can also integrate with the Data Warehouse to provide analytics and reporting on case data. Salesforce can integrate with the Order Management System to access order information related to cases. Salesforce can integrate with the Email Management System to send and receive emails from customers and agents. Reference: Salesforce Integration Architecture Designer Resource Guide, page 16

The Salesforce Community Cloud should support OpenId Connect Authentication Provider and Registration Handler, and SAML SSO and just-in-time provisioning for self-registration and SSO. OpenId Connect is a protocol that allows users to authenticate with an external identity provider and access Salesforce resources. A registration handler is a class that implements the Auth.RegistrationHandler interface and defines how to create new users or update existing users in Salesforce from the information received from the identity provider. SAML SSO is a protocol that allows users to log in to Salesforce with a single credential from an identity provider. Just-in-time provisioning is a feature that allows creating or updating user accounts in Salesforce based on SAML assertions.

References: [OpenID Connect Authentication Providers], [Registration Handler Interface], [SAML Single Sign-On for Communities].

 Using a third party integration tool to stage records off platform is a solution that can handle the high volume of data and avoid hitting the API limits for the REST API call to the external system. A third party integration tool can also provide features such as data transformation, error handling, and logging. Due to high volume of records, number of concurrent requests can hit the limit for the REST API call to external system is not a solution, but a problem that needs to be addressed. Due to high volume of records, the external system will need to use a BULK API Rest endpoint to connect to Salesforce is not a solution, as the requirement is to send data from Salesforce to the external system, not vice versa. Due to high volume of records, Salesforce will need to make a REST API call to external system is not a solution, as it does not address how to handle the high volume of data and avoid hitting the API limits. Reference: Salesforce Integration Architecture Designer Resource Guide, page 18-19

The Architect should determine the data access prevention requirements and then identify the system constraints before recommending a solution. The data access prevention requirements are the business rules and policies that define how to prevent deactivated employees from accessing Salesforce data. For example, the Architect should determine whether the HR system can send a notification to Salesforce when an employee is deactivated, or whether Salesforce needs to query the HR system periodically to check the employee status. The system constraints are the technical limitations and challenges that may affect the integration solution. For example, the Architect should determine whether the HR system supports outbound or inbound integration, what are the security and authentication protocols, what are the data formats and protocols, and what are the performance and scalability requirements. The frequency of the integration is not as important as the requirements and constraints, as it can be adjusted based on the business needs and technical feasibility. The data volume requirements and loading schedule are not relevant for this scenario, as they are more applicable for data migration or replication scenarios.

The integration architect should recommend enforcing separate security protocols and return formats at the first tier of the API-led architecture. The first tier is also known as the experience layer, which is responsible for providing a tailored interface for each system of engagement. By enforcing security and format at this layer, the integration architect can ensure that each system of engagement can access the data in a secure and consistent way, without affecting the other layers.

References: [API-led Connectivity]

The integration architect should recommend using Salesforce Connect to display the financial transactions as an external object. Salesforce Connect is a feature that allows you to integrate external data sources with Salesforce and access them in real time via external objects. External objects are similar to custom objects, but they store metadata only and not data. You can use external objects to display data from the core banking system in the customer community without copying or syncing the data. You can also use standard Salesforce features, such as reports, dashboards, or global search, with external objects. Salesforce External Service is a feature that allows you to import an external schema definition and generate an Apex wrapper class that can invoke an external service. This is useful for integrating complex business processes or workflows with Salesforce, but not for displaying data in a community lightning page. Iframe is a HTML element that allows you to embed another web page within a web page. This is not a recommended solution for displaying data in a customer community, as it can pose security risks, performance issues, or user interface problems.

References: [Salesforce Connect], [Salesforce External Services], [Using Iframes in Lightning Components]

The continuation class in Apex allows you to make long-running requests to external web services and process their responses in a callback method. This is useful for scenarios where the response time exceeds the normal Apex limits, such as 10 seconds for synchronous transactions or 120 seconds for asynchronous transactions. By using continuation, you can avoid hitting these limits and provide a better user experience1

References: Callout Limits and Limitations

Middleware should coordinate request delivery and payment processing, and Payment System should process a payment request only once. This solution ensures that each payment request is delivered to the Payment System in a reliable and consistent manner, and avoids duplicate or conflicting updates to the same Payment Request record. Middleware can act as a mediator between the Data Entry Point and the Payment System, and implement logic to handle errors, retries, and acknowledgments. Payment System can use the globally unique identifier to check if a payment request has already been processed, and avoid processing it again. References: Certification - Integration Architect - Trailhead, [Integration Patterns and Practices]

This is because SSL/TLS mutual authentication is a security feature that allows Salesforce to verify the identity of the client that connects to its API endpoint on port 8443. To enable this feature, you need to upload a client certificate to Salesforce and assign the “Enforce SSL/TLS Mutual Authentication” user permission to the users who need to access the company portal. The other options are not sufficient for this scenario because:

• A, Enable My Domain and SSL/TLS, is a prerequisite for using SSL/TLS mutual authentication, but it does not ensure that all integrations use it. My Domain allows you to customize your Salesforce domain name and SSL/TLS provides encryption for your data in transit.
• C, Generate a Self-signed Certificate, is a step that you need to do on the client side to create a certificate that can be used for SSL/TLS mutual authentication, but it does not ensure that all integrations use it. You also need to upload the certificate to Salesforce and assign the user permission.
• D, Generate a CA-signed Certificate, is an alternative to generating a self-signed certificate, but it also does not ensure that all integrations use SSL/TLS mutual authentication. You still need to upload the certificate to Salesforce and assign the user permission.

References:

• Certificates in Mutual Authentication
• Configure Your API Client to Use Mutual Authentication
• Salesforce Mutual Authentication Setup

Use Salesforce Connect if the database supports Open Data Protocol (OData). Salesforce Connect allows you to integrate external data sources with Salesforce without copying the data into Salesforce. OData is a standard protocol for accessing data from different sources. Use Salesforce Connect if the database supports Open Database Connectivity (ODBC) is incorrect because ODBC is not supported by Salesforce Connect. Use Heroku Connect if the data is hosted in Heroku is incorrect because Heroku Connect is used to synchronize data between Salesforce and a Heroku Postgres database, not an on-premises system.

The integration architect should consider the impact of deleted records on system functionality, the ability to delete personal data in every system, and the ability to provide a 360-degree view of the customer. These are important requirements for ensuring that the company can comply with the privacy and data protection regulations, as well as deliver a customer-centric service. Option A is not correct because manual steps and procedures are not desirable for deleting personal data on demand. The integration architect should aim for an automated and reliable solution that minimizes human intervention and errors. Option D is not correct because restoring deleted records when needed may violate the privacy and data protection regulations, as well as the customer’s consent. The integration architect should ensure that the deletion of personal data is permanent and irreversible.

Change Data Capture is a feature that enables you to receive near-real-time changes of Salesforce records, including create, update, delete, and undelete operations. Change Data Capture retains change events in the event bus for up to three days, so you can resume data replication from the point of failure. Change Data Capture also provides a consistent and reliable way to synchronize data changes with external systems, without the need for custom triggers or code. Reference: Salesforce Integration Architecture Designer Resource Guide, page 24

The system requirement is to expose data from the on-premise applications to Salesforce for a more unified user experience in real-time. The possible actions that can fulfill this requirement are:

• Answer B is valid because developing custom APIs on the company’s network that are invokable by Salesforce can allow Salesforce to access the data from the on-premise applications in real-time. However, this action requires opening a firewall port or using a reverse proxy to allow Salesforce to communicate with the on-premise APIs securely3
• Answer C is valid because deploying MuleSoft to the on-premise network and designing externally facing APIs to expose the data can also enable Salesforce to access the data from the on-premise applications in real-time. MuleSoft is an integration platform that can connect various systems and applications using APIs and standard protocols. MuleSoft can also handle security, orchestration, transformation, and other integration aspects.
• Answer A is not valid because developing an application in Heroku that connects to the on-premise database via an ODBC string and VPC connection is not a real-time solution. Heroku is a cloud platform that can host web applications and services, but it cannot expose data from an on-premise database directly to Salesforce. To use Heroku for this purpose, an ETL tool or a middleware solution would be needed to synchronize the data between the on-premise database and Heroku, which would introduce latency and complexity to the integration.
• Answer D is not valid because running a batch job with an ETL tool from an on-premise server to move data to Salesforce is also not a real-time solution. ETL stands for extract, transform, and load, which is a process of moving data from one system to another in batches. ETL tools can be used for data migration or integration, but they cannot provide real-time access to data from on-premise applications to Salesforce. ETL tools also have limitations on data volume, frequency, and reliability.

1: Bulk API Limits 2: Bulk API Features 3: Integrating with Salesforce using Custom Web Services : MuleSoft Overview : Heroku Overview : ETL Overview

The API that should be used for the Salesforce platform event solution is Tooling API. Tooling API is a specialized API that exposes metadata used in developer tooling that you can access through REST or SOAP. You can use Tooling API to create, update, or delete platform event definitions and fields4 Streaming API is used to subscribe to platform events and receive notifications when they are published5

References: Platform Events Developer Guide | Salesforce Developers, Define and Publish Platform Events Unit | Salesforce Trailhead

QUESTIONNO: 241

Northern Trail Outfitters is in the final stages of merging two Salesforce orgs but needs to keep the retiring org available for a short period of time for lead management as it is connected to multiple public web site forms. The sales department has requested that new leads are available in the new Salesforce instance within 30 minutes.

Which two approaches will require the least amount of development effort?

Choose 2 answers

A Configure named credentials in the source org.

B Use the Composite REST API to aggregate multiple leads in a single call.

C Use the tooling API with Process Builder to insert leads in real time.

D Call the Salesforce REST API to insert the lead into the target system.

Answer: A, B

The two approaches that will require the least amount of development effort are configuring named credentials in the source org and using the Composite REST API to aggregate multiple leads in a single call. Named credentials are a type of metadata that store authentication information for accessing external services, such as the target Salesforce org. By using named credentials, you can simplify the code for making callouts and avoid hardcoding credentials or tokens. The Composite REST API is a resource that allows you to execute multiple REST API requests in a single call. You can use the Composite REST API to create, update, or delete up to 25 records in one request. This can reduce the number of API calls and improve performance.

References: [Named Credentials], [Composite Resources]

The first thing an integration architect should validate if a callout from a Lightning Web Component to an external endpoint is failing is the endpoint domain has been added to Cross-Origin Resource Sharing (CORS). CORS is a mechanism that allows web browsers to make requests to servers on different origins, such as different domains, protocols, or ports. CORS requires the server to send back a special header that indicates whether the browser is allowed to access the resource or not. If the endpoint domain is not added to the CORS whitelist in Salesforce, the browser will block the callout and throw an error. Option B is not correct because Content Security Policies (CSP) are used to control what resources can be loaded on a Visualforce or Lightning page, such as scripts, stylesheets, images, etc. CSP does not affect the callout from a Lightning Web Component to an external endpoint. Option C is not correct because outbound firewall rules are used to restrict the network traffic from Salesforce to external systems. Firewall rules are configured at the network level, not at the Salesforce level. Option D is not correct because Remote Site Settings are used to specify the domains that are allowed for callouts from Apex code, not from Lightning Web Components. References:

• Working with CORS and CSP to Call APIs from LWC
• [Cross-Origin Resource Sharing (CORS)]

The recommended solution is to use a time-based workflow rule. A time-based workflow rule is a type of workflow rule that executes actions at a specific time, such as a certain number of days before or after a record field value. By using a time-based workflow rule, you can send an email alert to the contacts of the accounts that do not qualify for a business extension for the next month, and include a meeting invite in the email. This solution can handle large volumes of data and does not require any custom code. Using batch Apex, process builder, or trigger is not a recommended solution because they are more complex and require custom code or configuration. Batch Apex is a way to run large-scale and long-running jobs that operate on many records. Process builder is a tool that lets you automate business processes by creating a process with criteria and actions. Trigger is a type of Apex code that executes before or after database operations, such as insert, update, delete, or undelete.

An API gateway is a component that acts as a single point of entry for all cloud applications to access on-premise resources and services. It can provide security, routing, transformation, and other features to facilitate integration. An API gateway component should be deployable behind a DMZ or perimeter network, which is a subnetwork that separates the internal network from the external network and provides an additional layer of security. The middleware solution should also be capable of establishing a secure API gateway between cloud applications and on-premise resources, which may involve using protocols such as HTTPS, SSL/TLS, or VPN. The OAuth security protocol is not a requirement for choosing a middleware solution, as it is a standard for authorizing access to resources on behalf of a user. The middleware solution’s ability to interface directly with databases via an ODBC connection string is also not a requirement, as it is a specific feature that may or may not be needed depending on the integration scenario. Reference: Salesforce Integration Architecture Designer Resource Guide, page 14-15

Change Data Capture Event is the best option to meet this requirement. Change Data Capture Event is a type of streaming event that notifies subscribers of changes to Salesforce records, such as creation, update, delete, and undelete operations1. By subscribing to Change Data Capture Event for the Case object, the dashboard component can receive real-time updates on the number of closed Cases. Push Topic Event is another type of streaming event that notifies subscribers of changes to Salesforce records that match a SOQL query2. However, Push Topic Event has some limitations, such as not supporting all SOQL features and not capturing delete and undelete operations3. Platform Event is a type of streaming event that delivers custom notifications within the Salesforce platform or from external sources4. Platform Event is not suitable for this requirement because it is not tied to Salesforce records and requires custom logic to publish and subscribe. Generic Event is a type of streaming event that sends custom JSON notifications to subscribers without a predefined schema5. Generic Event is not suitable for this requirement because it is not tied to Salesforce records and requires custom logic to publish and subscribe.

• Option A is correct because external gateway products in use can affect the performance and security of outbound integrations from Salesforce to on-premise servers. External gateway products are software or hardware devices that act as intermediaries between Salesforce and the on-premise servers, such as firewalls, proxies, load balancers, or VPNs. They can have different configurations, features, and limitations that can impact the speed, reliability, and security of the data transmission. For example, some external gateway products may require authentication, encryption, or compression of the data, which can add overhead and latency to the integration. Some external gateway products may also have bandwidth or throughput limits, which can affect the scalability and availability of the integration. Therefore, the architect should consider the external gateway products in use before recommending a solution.
• Option B is incorrect because a default gateway restriction is not a factor that can affect the performance and security of outbound integrations from Salesforce to on-premise servers. A default gateway restriction is a feature that allows administrators to restrict outbound requests from Salesforce to a specific IP address or domain name. This can help prevent unauthorized or malicious requests from Salesforce to external systems. However, this feature does not affect the performance or security of the outbound requests themselves, as it only acts as a filter for the destination of the requests.
• Option C is incorrect because considerations for using deterministic encryption are not relevant for outbound integrations from Salesforce to on-premise servers. Deterministic encryption is a type of encryption that produces the same ciphertext for the same plaintext input. This can help preserve some functionality and performance of encrypted data in Salesforce, such as filtering, sorting, and indexing. However, deterministic encryption is not applicable for outbound integrations from Salesforce to on-premise servers, as it is only supported for custom fields and not for standard fields or attachments. Moreover, deterministic encryption does not affect the security of the data transmission itself, as it only encrypts the data at rest in Salesforce.
• Option D is incorrect because Shield Platform Encryption limitations are not relevant for outbound integrations from Salesforce to on-premise servers. Shield Platform Encryption is a feature that allows administrators to encrypt sensitive data at rest in Salesforce using AES 256-bit encryption. This can help protect data from unauthorized access or theft. However, Shield Platform Encryption limitations are not relevant for outbound integrations from Salesforce to on-premise servers, as they only affect the functionality and performance of encrypted data in Salesforce, such as searching, reporting, or validation rules. Shield Platform Encryption does not affect the security of the data transmission itself, as it only encrypts the data at rest in Salesforce.

References: Salesforce Integration Patterns and Practices : Salesforce Integration Guide : Restrict Outbound Requests with a Default Gateway : Deterministic Encryption : Shield Platform Encryption Considerations : Shield Platform Encryption : Shield Platform Encryption Architecture

 Idempotent design means that the same request can be repeated multiple times without changing the outcome. This is useful for avoiding duplicate orders in case of network failures or timeouts. By implementing idempotent design, the sales representatives can retry the order(s) in question without creating duplicates in the manufacturing system. Outbound messaging is not a reliable solution because it does not guarantee delivery or acknowledgement of messages. Scheduled apex is not a real-time solution and may not catch all the duplicate or missing orders

 The OAuth protocol is a standard way to authorize access to web resources. By configuring a connected app with an authorization endpoint of the API gateway, Salesforce can obtain an access token from the API gateway and use it to invoke the external API securely. This avoids the need to manage certificates or user credentials for authentication2

References: 1: Data Virtualization Pattern 2: OAuth 2.0 Web Server Authentication Flow

• Option D is correct because Platform Shield Encryption allows you to encrypt standard fields and use them in workflow rules. Platform Shield Encryption uses AES 256-bit encryption to protect sensitive data at rest, while preserving platform functionality12
• Option A is incorrect because Cryptography Class is a set of Apex methods for creating digests, message authentication codes, signatures, and encryption. It does not provide a way to encrypt standard fields or use them in workflow rules3
• Option B is incorrect because Data Masking is a feature that replaces sensitive data in sandboxes with dummy data. It does not encrypt data in production or allow the use of encrypted data in workflow rules45
• Option C is incorrect because Classic Encryption is a feature that encrypts custom fields with 128-bit AES encryption. It does not support standard fields or workflow rules67

References: 1: Salesforce Shield - Data Monitoring & End to End Encryption 2: How Shield Platform Encryption Works 3: Crypto Class 4: Data Masking - Anonymize Sensitive Data 5: Secure Your Sandbox Data with Salesforce Data Mask 6: What’s the Difference Between Classic Encryption and Shield Platform Encryption? 7: Salesforce Classic vs. Salesforce Shield Platform Encryption: Which One Do You Need?

The typical and worst-case historical response times, and how many concurrent service calls are being placed are two considerations that an integration architect should make when building a scalable integration solution for synchronous callouts to “available to promise” services. These two factors can affect the performance, reliability, and availability of the integration solution, as well as the user experience of the customer checkout process. The integration architect should design the solution to handle high volumes of service calls, optimize the response times, handle errors and timeouts, and avoid hitting governor limits or service quotas. References: Certification - Integration Architect - Trailhead, [Callout Limits and Limitations], [Integration Patterns and Practices]

 Outbound Message is a SOAP-based notification service that sends information about changes in Salesforce to a specified endpoint. It is a type of Remote Process Invocation—Fire and Forget integration pattern, which means that Salesforce does not wait for a response from the external system. Outbound Message can be configured using workflow rules or process builder, and it can include a subset of fields of the object that triggered the message. Outbound Message requires the external system to expose a SOAP web service that conforms to the WSDL generated by Salesforce1.

SOAP API is a way to access Salesforce data and functionality using SOAP (Simple Object Access Protocol), which is a standard XML-based protocol for exchanging structured data over the web. SOAP API can be used for both inbound and outbound integration, and it supports two types of WSDL (Web Service Description Language) files: Enterprise and Partner. Enterprise WSDL is a strongly typed WSDL file that is specific to an organization’s Salesforce configuration. It can be used when the client application knows the objects and fields it needs to access at compile time. Partner WSDL is a loosely typed WSDL file that is generic for any organization. It can be used when the client application needs to access data dynamically at run time2.

Therefore, the correct answer is A, because Outbound Message is suitable for Fire and Forget integration from Salesforce to the legacy system, and SOAP API using Enterprise WSDL is suitable for getting response back in a strongly typed format from the legacy system to Salesforce.

References: 1: Remote Process Invocation—Fire and Forget | Integration Patterns and Practices | Salesforce Developers 2: SOAP API Developer Guide | SOAP API Basics | Salesforce Developers

The integration consultant should consider the following authorization and authentication needs while integrating the DMS and ESB with Salesforce:

• Users should be authorized to view information specific to the customer they are servicing without a need to search for customer. This means that the integration should provide a seamless and contextual access to the customer billing information and generated bills from the DMS and ESB, based on the customer record or case that the user is working on in Salesforce.
• Consider Enterprise security needs for access to DMS and ESB. This means that the integration should comply with the security policies and standards of the Enterprise, such as encryption, auditing, logging, monitoring, etc.
• Users should be authenticated into DMS and ESB without having to enter username and password. This means that the integration should use a single sign-on (SSO) mechanism that allows users to access multiple systems with one login credential, such as OAuth or SAML34

References: Authorization Through Connected Apps and OAuth 2.0, Single Sign-On for Desktop and Mobile Applications using SAML and OAuth

The integration consultant should implement monitoring by identifying critical business processes and establishing automation to monitor performance against established benchmarks. This approach can help detect and diagnose any degradation in Salesforce performance, such as slow response time, high error rate, or low availability. The automation can use various tools and methods, such as platform events, event monitoring, health check, or third-party monitoring services123

References: Proactive Monitoring - Salesforce.com, 17 Free Ways to Monitor Your Salesforce Org | Salesforce Ben, Measure Lightning Experience Performance and Experienced … - Trailhead

Handle verification process error in the Verification Webservice API in case there is a connection issue to the Webservice or if it responds with an error. This solution ensures that the agent can see an error message when the credit verification process failed, and take appropriate actions. The Verification Webservice API can implement error handling logic to catch any exceptions or errors that occur during the callout to the external agencies, and return a meaningful error message to the agent. The agent can then retry the verification process, or escalate the issue to a supervisor. References: Certification - Integration Architect - Trailhead, [Apex Web Services and Callouts]

The Batch Data Synchronization pattern is suitable for this business use case because it allows transferring large volumes of data between Salesforce and the scheduling system in batches. This can handle the surge of requests for workshop registrations without overloading the systems or affecting the performance. The batch process can run at regular intervals or on demand to synchronize the data between the systems1

1: Batch Data Synchronization Pattern